Date: Sat, 17 Dec 2016 19:59:49 +0100 From: Alexander Leidinger <Alexander@leidinger.net> To: SK <fbstable@cps-intl.org> Cc: freebsd-jail <freebsd-jail@freebsd.org> Subject: Re: ZFS and Jail :: nullfs mount :: nothing visible from host :: solved [partial] Message-ID: <20161217195949.Horde.PTQ3AH5YpaT79dVSxM5UvNr@webmail.leidinger.net> In-Reply-To: <d606c9ee-f5f6-55c5-0c99-01fd47a4a378@cps-intl.org> References: <aa078173-e9f1-3f09-41d4-6613014b1119@cps-intl.org> <584986D0.3040109@quip.cz> <2b6346f8-ed02-0e6d-bd89-106098e7eb2d@cps-intl.org> <58499446.3050403@quip.cz> <eed9efad-9bac-9d36-b75e-c41f9ea72a8b@cps-intl.org> <5849C5BF.7020005@quip.cz> <fb56ab21-026b-408d-f712-ed7479e1f269@cps-intl.org> <584A9179.9060508@quip.cz> <b53fba06-bb7d-06d8-34a4-4677805fb175@cps-intl.org> <584A9D89.4040003@quip.cz> <3851c5d9-7646-b670-357e-ae937fcc7e8f@cps-intl.org> <584AB345.4080307@quip.cz> <33473585-3cb9-10d3-acf9-0a917c5a0079@cps-intl.org> <20161216141540.Horde.zfu3fokeVx7FuFkk7_s-nbW@webmail.leidinger.net> <d606c9ee-f5f6-55c5-0c99-01fd47a4a378@cps-intl.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This message is in MIME format and has been PGP signed.
--=_K9AONlVuvw9Zy4MTTLpJPDH
Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Quoting SK <fbstable@cps-intl.org> (from Fri, 16 Dec 2016 14:02:20 +0000):
> On 16/12/2016 13:15, Alexander Leidinger wrote:
>> For one of the filesystems I have set "zfs allow" permissions, but=20=20
>>=20just that a specific user in the jail can do something on those FS=20=
=20
>>=20without the need to switch to root. So as long as you try to do a=20=
=20
>>=20zfs create/snapshot with an user with UID 0 inside the jail, the=20=20
>>=20"zfs allow" part doesn't come into play.
>>
>> So assume space/jails/xyz.leidinger.net/ to be the dataset which=20=20
>>=20contains the root of the jail but is not attached/attributed to the=20=
=20
>>=20jail itself. space/jails/xyz.leidinger.net/data with=20=20
>>=20mountpoint=3Dnone to be attributed ("zfs jail xyz=20=20
>>=20space/jails/xyz.leidinger.net/data") to the jail (similar to the=20=20
>>=20"space/something" in the ezjail config above, I have some=20=20
>>=20iocage-managed jails were this works). In this case you should be=20=
=20
>>=20able to do from inside the jail "zfs create -o mpuntpoint=3D/mnt=20=20
>>=20space/jails/xyz.leidinger.net/data/test".
>>
> hmmm, I'm slightly confused at this point. Let me see if I can=20=20
>=20clarify that in my brain
>
> If I understand you correctly, what you are suggesting is, the=20=20
>=20dataset used by the jail itself for its root/base cannot be "worked=20=
=20
>=20on" from within the jail, but if I define a different dataset (under=20=
=20
>=20the same branch below the jail dataset), and attribute it to the=20=20
>=20jail, then I can manipulate that "other" dataset. Could you please=20=
=20
>=20confirm if I understood it correctly?
Correct.
You need the data in the root of the jail to boot, if you then=20=20
attribute=20this dataset to the jail, it will vanish until "zfs mount=20=20
-a"=20is run (rc script inside the jail). As it will vanish during the=20=
=20
boot=20of the jail (if added automatically), the rc script to mount all=20=
=20
datasets=20can not be found.
>>> And now to everyone, I am still confused about zfs set jailed=3Don.=20=
=20
>>>=20As I mentioned on my previous emails, as soon as I do that, the=20=20
>>>=20dataset vanishes from the host system (as I understand, that is=20=20
>>>=20expected behaviour). Then the jail fails as it is unable to mount=20=
=20
>>>=20/dev, /proc
>>
>> From the zfs man page:
>> ---snip---
>> After a dataset is attached to a jail and the jailed property is set=
, a
>> jailed file system cannot be mounted outside the jail, since the jai=
l
>> administrator might have set the mount point to an unacceptable valu=
e.
>> ---snip---
>>
>> So yes, it is expected that it "vanishes", but it should be visible=20=
=20
>>=20from the parent host at the place inside the jail FS subtree were=20=
=20
>>=20it is mounted there (after setting the mountpoint of the dataset).
>>
> I think what you are trying to tell here is, unless and until that=20=20
>=20"vanished" dataset is put to use (mounted) from inside the jail, it=20=
=20
>=20will remain vanished/unusable from the host itself; however, once=20=20
>=20that dataset is put to use, the host system should be able to "see"=20=
=20
>=20and maybe even work on that dataset. Could you please confirm if I=20=
=20
>=20understood you correctly?
Correct.
A sub-dataset which is not needed to boot, or a dataset not within the=20=
=20
subtree=20of the jail (and not needed to boot) can be used.
Bye,
Alexander.
--=20
http://www.Leidinger.net=20Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF
http://www.FreeBSD.org netchild@FreeBSD.org : PGP 0x8F31830F9F2772BF
--=_K9AONlVuvw9Zy4MTTLpJPDH
Content-Type: application/pgp-signature
Content-Description: Digitale PGP-Signatur
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
iQIcBAABAgAGBQJYVYskAAoJEKrxQhqFIICErHwP/13/s8PzZMP0lLFi4hh4SjxA
FHNVhEzdapZMtYMe62vz2W3UkSxZTRsGnehnYINvh6KOd0MZ6lKAfar8dIP20qrm
eIsj4qh9sWcEpkSYOpM16uEdNJ1wIdniKhd4OmR/nyMshdHHVXVtdRIDVVA6OFav
lscK45Evixfb5PKhReR1zpqa747jB8v8e6vbzmg8Or+I01gugb9Wa1j2g7BZhi+N
wOzIYa2Y5jn20xcCtuWG3EMbKXQATyhhfPvz/fKnedLFag4I4uoMtnCOI1iREDMk
FcZMs5YKXHvQRclfMKh+zTpc+Gszf8PQsHwNlU5veTmI7jsWP6p21HxTOjL/CbNy
SpIn+YQkqfCvVRGEogKHinl/ltUQnV7nT0g2kl1Od8eSHxCtJQUf0sOy0/PSBf2q
50sxX0FMWUazRNWf00BhIHcxHbj4PmW0lgh014eptKNoB2o0DF23bhD6DigE2zaC
TU0rnb3cDKeUIssu3gMrx0p3JlX1Ob9eyxVPWkSJwixlgIpazwAQRBFq6O8VuftW
gSDsNE7XUw3YS59kCiKMu/Sswr3pshy3pDpIONQp2j4//uFckVDMgQsbHdghCf68
oLxcoulpl4iPEBR5l0IkvSKWUoE/CRTSRRvr1O2X7PYW552NRMdWAJbiWdfG+lTk
JrPpii4sGtmpFoSjh5e4
=eVue
-----END PGP SIGNATURE-----
--=_K9AONlVuvw9Zy4MTTLpJPDH--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20161217195949.Horde.PTQ3AH5YpaT79dVSxM5UvNr>